[Swan-dev] break down of 5.0 fixes v2

[Andrew Cagney]

>   building: do not abuse USE_IPTABLES or USE_NFTABLES
>   building: add sanity check for USE_CAT and USE_NFLOG
>   building: fix logics in sanity check
>   building: when USE_NFLOG is disabled, disable it really
>   ... with more to come ...

for instance, see attached:
-------------- next part --------------
diff --git a/mk/config.mk b/mk/config.mk
index 21096a051f..341252984c 100644
--- a/mk/config.mk
+++ b/mk/config.mk
@@ -649,9 +649,6 @@ TRANSFORM_VARIABLES = $(SED) \
 			-e "s:@@SD_WATCHDOGSEC@@:$(SD_WATCHDOGSEC):g" \
 			-e "s:@@SHELL_BINARY@@:$(SHELL_BINARY):g" \
 			-e "s:@@USE_DEFAULT_CONNS@@:$(USE_DEFAULT_CONNS):g" \
-			-e "s:@@USE_IPTABLES@@:$(USE_IPTABLES):g" \
-			-e "s:@@USE_NFTABLES@@:$(USE_NFTABLES):g" \
-			-e "s:@@USE_NFLOG@@:$(USE_NFLOG):g" \
 			$(patsubst %, -e %, $(TRANSFORMS))
 
 # For KVM testing setup
@@ -771,34 +768,81 @@ ifeq ($(USE_NM),true)
 USERLAND_CFLAGS+=-DHAVE_NM
 endif
 
+#
+# Enable Client Address Translation; what ever that is.
+#
+
 USE_CAT ?= false
+
 ifeq ($(USE_CAT),true)
 USERLAND_CFLAGS += -DUSE_CAT
 endif
 
-# USE_CAT requires either USE_NFTABLES or USE_IPTABLES
-ifeq ($(USE_NFTABLES),false)
-ifeq ($(USE_IPTABLES),false)
-ifeq ($(USE_CAT),true)
-$(error ERROR: USE_CAT is set but neither USE_NFTABLES nor USE_IPTABLES is set)
-endif
-endif
-endif
+TRANSFORMS += -e 's:@@USE_CAT@@:$(USE_CAT):g'
+
+#
+# Enable NFLOG; what ever that is.
+#
 
 USE_NFLOG ?= false
+
 ifeq ($(USE_NFLOG),true)
 USERLAND_CFLAGS += -DUSE_NFLOG
 endif
 
-# USE_NFLOG requires either USE_NFTABLES or USE_IPTABLES
-ifeq ($(USE_NFTABLES),false)
-ifeq ($(USE_IPTABLES),false)
+TRANSFORMS += -e 's:@@USE_NFLOG@@:$(USE_NFLOG):g'
+
+#
+# IPTABLES vs NFTABLES
+#
+
+USE_IPTABLES ?= false
+
+ifeq ($(USE_IPTABLES),true)
+USERLAND_CFLAGS += -DUSE_IPTABLES
+endif
+
+TRANSFORMS += -e 's:@@USE_IPTABLES@@:$(USE_IPTABLES):g'
+
+USE_NFTABLES ?= false
+
+ifeq ($(USE_NFTABLES),true)
+USERLAND_CFLAGS += -DUSE_NFTABLES
+endif
+
+TRANSFORMS += -e 's:@@USE_NFTABLES@@:$(USE_NFTABLES):g'
+
+#
+# Check for conflicts between NFTABLES, IPTABLES, CAT and 
+# NFLOG.
+#
+# CAT and NFLOG require one of USE_NFTABLES or USE_IPTABLES.  Can't
+# have both USE_NFTABLES and USE_IPTABLES.
+#
+# Do this after all the MAKE variables have been initialized.
+
+ifeq ($(USE_CAT),true)
+ifneq ($(USE_NFTABLES),true)
+ifneq ($(USE_IPTABLES),true)
+$(error ERROR: USE_CAT is set but neither USE_NFTABLES nor USE_IPTABLES is true)
+endif
+endif
+endif
+
 ifeq ($(USE_NFLOG),true)
-$(error ERROR: USE_NFLOG is set but neither USE_NFTABLES nor USE_IPTABLES is set)
+ifneq ($(USE_NFTABLES),true)
+ifneq ($(USE_IPTABLES),true)
+$(error ERROR: USE_NFLOG is set but neither USE_NFTABLES nor USE_IPTABLES is true)
 endif
 endif
 endif
 
+ifeq ($(USE_NFTABLES),true)
+ifeq ($(USE_IPTABLES),true)
+$(error ERROR: Both USE_NFTABLES and USE_IPTABLES variables set, you can not set both to true)
+endif
+endif
+
 # Link with -lrt (only for glibc versions before 2.17)
 RT_LDFLAGS ?= -lrt
 
@@ -928,25 +972,6 @@ ifdef RETRANSMIT_INTERVAL_DEFAULT
 USERLAND_CFLAGS += -DRETRANSMIT_INTERVAL_DEFAULT_MS="$(RETRANSMIT_INTERVAL_DEFAULT)"
 endif
 
-# iptables for CAT, or NFLOG, look, barf, verify
-USE_IPTABLES ?= false
-ifeq ($(USE_IPTABLES),true)
-USERLAND_CFLAGS += -DUSE_IPTABLES
-endif
-
-# nft for cat nflog cat linux specific
-USE_NFTABLES ?= false
-ifeq ($(USE_NFTABLES),true)
-USERLAND_CFLAGS += -DUSE_NFTABLES
-endif
-
-# check for USE_NFTABLES and USE_IPTABLES - both can't be set
-ifeq ($(USE_NFTABLES),true)
-ifeq ($(USE_IPTABLES),true)
-$(error ERROR: Both USE_NFTABLES and USE_IPTABLES variables set, you can not set both)
-endif
-endif
-
 ifeq ($(HAVE_BROKEN_POPEN),true)
 USERLAND_CFLAGS += -DHAVE_BROKEN_POPEN
 endif